Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Synopsis

Executes a custom complex computation on search query results.

Syntax

execute [expression] (as result1, result2)

Required Arguments

expression

Syntax: mathematical expression

Description: Performs on the search results, a mathematical expression that the user formulates using the Execute search syntax (see http://www.japisoft.com/formula/doc/index.html).

Optional Arguments

result1, result2

Syntax: <search string>.

Description: If the results that the executed expression returns are expected to go into more than one column, the names of the columns preceded by as must be placed in parentheses following the expression. 

Description

Executes on each event in the search query, an expression. If the returned results go into more than one column, they are entered under the columns whose names appear in parentheses after the expression.

Examples

Example 1: 

* in log.access |  execute if (total == NULL) THEN (total = 0); if (column.bytes\ sent != NULL && column.bytes\ sent != "-") THEN (total = total + column.bytes\ sent);total | group by status | order by value desc 

Computes the total of the bytes sent column of the events in log access per status, and displays the total of each status in descending order of the total value. 

Example 2: 

* in log.application_log  | count, sum col_name| interval 1 hour | execute result = column.count * 100 / column.sum ; result | interval 1 hour

Computes the sum of a value in the field col_name in an hourly basis, and computes the percentage of that value out of the total number of events during that time.

Example 3:

* in log.iis log | avg time-taken | group by cs-uristem | execute if (count1 == NULL) THEN (count1 = 0);if (count2 == NULL) THEN (count2 = 0);if (count3 == NULL) THEN (count3 = 0);timetaken = column.avg; if (timetaken > 100 && timetaken < 300) THEN (count1 = count1 + 1);if (timetaken >= 300 && timetaken < 400) THEN (count2 = count2 + 1);if (timetaken >= 400 && timetaken < 500) THEN (count3 = count3 + 1);map = mapput(map,"100",count1);map = mapput(map,"300",count2);map = mapput(map,"400",count3);map as type,value | order by type

Computes the different type of URLs that their average time took between 100-300, 300-400 and 400-500 milliseconds based on the time-taken log field.

 

 

  • No labels